4 Safety results
This section reports the results of the safety analysis of the STM32L4 and STM32L4+ Series devices, according
to IEC 61508 and to ST methodology flow, related to the hardware random and dependent failures.
4.1 Random hardware failure safety results
The analysis for random hardware failures of STM32L4 and STM32L4+ Series devices reported in this safety
manual is executed according to STMicroelectronics methodology flow for safety analysis of semiconductor
devices in compliance with IEC61508. The accuracy of results obtained are guaranteed by three factors:
• STMicroelectronics methodology flow strict adherence to IEC61508 requirements and prescriptions
• the use, during the analysis, of detailed and reliable information on microcontroller design
• the use of state-of-the-art fault injection methods and tools for safety metrics verification
The Device safety analysis explored the overall and exhaustive list of Device failure modes, to individuate for
each of them an adequate mitigation measure (safety mechanism). The overall list of Device failure modes is
maintained in the related FMEA document [1], provided on demand by local STMicroelectronics sales office.
In summary, with the adoption of the safety mechanisms and conditions of use reported in
Section 3.7 Conditions of use, it is possible to achieve the integrity levels summarized in the following table.
Table 152. Overall achievable safety integrity levels
Number of
Devices used
Safety
architecture
Target Safety analysis result
1 1oo1/1oo1D
SIL2 LD Achievable
SIL2 HD/CM
Achievable with potential performance impact
(1)
2 1oo2
SIL3 LD Achievable
SIL3 HD/CM Achievable with potential performance impact
1. Note that the potential performance impact related to some above-reported target achievements is mainly related to the
need of execution of periodical software-based diagnostics (refer to safety mechanism description for details). The impact
is therefore strictly related to how much “aggressive” the system level PST is (see Section 3.3.1 Safety requirement
assumptions).
The resulting relative safety metrics (diagnostic coverage (DC) and safe failure fraction (SFF)) and absolute
safety metrics (probability of failure per hour (PFH), probability of dangerous failure on demand (PFD)) are not
reported in this section but in the failure mode effect diagnostic analysis (FMEDA) snapshot [2], due to:
• a large number of different STM32L4 and STM32L4+ Series parts,
• a possibility to declare non-safety-relevant unused peripherals, and
• a possibility to enable or not the different available safety mechanisms.
The FMEDA snapshot [2] is a static document reporting the safety metrics computed at different detail levels (at
microcontroller level and for microcontroller basic functions) for a given combination of safety mechanisms and
for a given part number. If FMEDA computation sheet is needed, early contact the local STMicroelectronics sales
representative, in order to receive information on expected delivery dates for specific Device target part number.
Note: Safety metrics computations are restricted to STM32L4 and STM32L4+ Series boundary, hence they do not
include the WDTe, PEv, and VMONe processes described in Section 3.3.1 Safety requirement assumptions).
4.1.1 Safety analysis result customization
The safety analysis executed for STM32L4 and STM32L4+ Series devices documented in this safety manual
considers all microcontroller modules to be safety-related, thus able to interfere with the safety function, with no
exclusion. This is in line with the conservative approach to be followed during the analysis of a general-purpose
microcontroller, in order to be agnostic versus the final application. This means that no microcontroller module
has been declared safe as per IEC61508-4, 3.6.8. Therefore, all microcontroller modules are included in SFF
computations.
UM2305
Safety results
UM2305 - Rev 10
page 91/110
To Next Page
Loading...
Need help?
General
